Options
Another case of Smitfraud
Running an IBM on Windows 2000 Server - with the characteristic blue screen showing 'fatal exception due to smitfraud.c' .
Following tips on this site (and others) we were able to remove the blue screen and remove some of the troublesome files. However, the desktop remains completely invisible and any attempts to utilise explorer (either on the internet or locally) do not work.
The HiJack This log is included below.
Logfile of HijackThis v1.99.1
Scan saved at 10:39:13 PM, on 9/05/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)
Running processes:
G:\WINNT\System32\smss.exe
G:\WINNT\system32\winlogon.exe
G:\WINNT\system32\services.exe
G:\WINNT\system32\lsass.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\LEXBCES.EXE
G:\WINNT\system32\spoolsv.exe
G:\WINNT\System32\msdtc.exe
Z:\avgamsvr.exe
Z:\avgupsvc.exe
G:\WINNT\system32\Dfssvc.exe
G:\WINNT\System32\tcpsvcs.exe
G:\WINNT\System32\svchost.exe
G:\WINNT\System32\LexPnPAgent.exe
G:\WINNT\System32\llssrv.exe
G:\WINNT\system32\ntfrs.exe
G:\WINNT\system32\regsvc.exe
G:\Program Files\Dantz\Retrospect\retrorun.exe
G:\WINNT\System32\locator.exe
G:\WINNT\system32\MSTask.exe
G:\WINNT\System32\snmp.exe
G:\WINNT\system32\ZONELABS\vsmon.exe
G:\WINNT\System32\wins.exe
G:\WINNT\System32\dns.exe
G:\WINNT\System32\inetsrv\inetinfo.exe
G:\WINNT\System32\mqsvc.exe
G:\WINNT\System32\dmadmin.exe
G:\WINNT\System32\svchost.exe
G:\WINNT\System32\WBEM\WinMgmt.exe
G:\Documents and Settings\Sean.ADMIN\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - G:\WINNT\xmllib.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [PnPDef] G:\WINNT\System32\LexPnPDef.exe
O4 - HKLM\..\Run: [Zone Labs Client] G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] Z:\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] Z:\avgemc.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: G:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = admin.astarr
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = admin.astarr
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = admin.astarr
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = admin.astarr
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - Z:\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - Z:\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - G:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - G:\WINNT\system32\LEXBCES.EXE
O23 - Service: Lexmark Network Plug and Print (LexPnPAgent) - Lexmark International, Inc. - G:\WINNT\System32\LexPnPAgent.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - G:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - G:\WINNT\system32\ZONELABS\vsmon.exe
Look forward to hearing from you, and thanking you in advance.
Sean.
Following tips on this site (and others) we were able to remove the blue screen and remove some of the troublesome files. However, the desktop remains completely invisible and any attempts to utilise explorer (either on the internet or locally) do not work.
The HiJack This log is included below.
Logfile of HijackThis v1.99.1
Scan saved at 10:39:13 PM, on 9/05/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)
Running processes:
G:\WINNT\System32\smss.exe
G:\WINNT\system32\winlogon.exe
G:\WINNT\system32\services.exe
G:\WINNT\system32\lsass.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\LEXBCES.EXE
G:\WINNT\system32\spoolsv.exe
G:\WINNT\System32\msdtc.exe
Z:\avgamsvr.exe
Z:\avgupsvc.exe
G:\WINNT\system32\Dfssvc.exe
G:\WINNT\System32\tcpsvcs.exe
G:\WINNT\System32\svchost.exe
G:\WINNT\System32\LexPnPAgent.exe
G:\WINNT\System32\llssrv.exe
G:\WINNT\system32\ntfrs.exe
G:\WINNT\system32\regsvc.exe
G:\Program Files\Dantz\Retrospect\retrorun.exe
G:\WINNT\System32\locator.exe
G:\WINNT\system32\MSTask.exe
G:\WINNT\System32\snmp.exe
G:\WINNT\system32\ZONELABS\vsmon.exe
G:\WINNT\System32\wins.exe
G:\WINNT\System32\dns.exe
G:\WINNT\System32\inetsrv\inetinfo.exe
G:\WINNT\System32\mqsvc.exe
G:\WINNT\System32\dmadmin.exe
G:\WINNT\System32\svchost.exe
G:\WINNT\System32\WBEM\WinMgmt.exe
G:\Documents and Settings\Sean.ADMIN\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - G:\WINNT\xmllib.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [PnPDef] G:\WINNT\System32\LexPnPDef.exe
O4 - HKLM\..\Run: [Zone Labs Client] G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] Z:\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] Z:\avgemc.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: G:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = admin.astarr
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = admin.astarr
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = admin.astarr
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = admin.astarr
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - Z:\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - Z:\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - G:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - G:\WINNT\system32\LEXBCES.EXE
O23 - Service: Lexmark Network Plug and Print (LexPnPAgent) - Lexmark International, Inc. - G:\WINNT\System32\LexPnPAgent.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - G:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - G:\WINNT\system32\ZONELABS\vsmon.exe
Look forward to hearing from you, and thanking you in advance.
Sean.
0
Comments
Norton did not register any items. AVG removed six Startpage trojans and a repeat scan showed no other items.
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - G:\WINNT\xmllib.dll
Reboot your computer into SAFE MODE
Then delete these files or directories (Do not be concerned if they do not exist):
G:\WINNT\xmllib.dll
Reboot your computer to go back to normal mode and post a new log.